Loading controls...
Control: SSL/TLS servers should use strong key exchange mechanism (e.g., ECDHE)
Description
It is recommended to use strong key exchange mechanism to keep data being transferred across the network more secure. Both parties agree on a single cipher suite and generate the session keys (symmetric keys) to encrypt and decrypt the information during an SSL session.
Usage
Run the control in your terminal:
powerpipe control run net_insights.control.ssl_use_strong_key_exchange
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run net_insights.control.ssl_use_strong_key_exchange --share
Steampipe Tables
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | domain_names |
| DNS domain names. |
SQL
with domain_list as ( select domain, concat(domain, ':443') as address from jsonb_array_elements_text(to_jsonb($1 :: text [ ])) as domain),all_ecdhe_ciphers as ( select address, version, cipher_suite_name from net_tls_connection where address in ( select address from domain_list ) and version in ('TLS v1.3', 'TLS v1.2') and cipher_suite_name in ( 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_AES_128_GCM_SHA256', 'TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256' ) and handshake_completed)select d.domain as resource, case when ( select count(*) from all_ecdhe_ciphers where address = d.address and version = 'TLS v1.3' ) > 0 then 'ok' when ( select count(*) from all_ecdhe_ciphers where address = d.address and version = 'TLS v1.2' ) > 0 then 'ok' else 'alarm' end as status, case when ( select count(*) from all_ecdhe_ciphers where address = d.address and version = 'TLS v1.3' ) > 0 or ( select count(*) from all_ecdhe_ciphers where address = d.address and version = 'TLS v1.2' and split_part(cipher_suite_name, '_', 2) = 'ECDHE' ) > 0 then d.domain || ' uses strong key exchange mechanism.' else d.domain || ' does not use strong key exchange mechanism.' end as reasonfrom domain_list as d;